Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
18 February, 2020
Also known as
Arkei
Global rank
21
Week rank
16
Month rank
18
IOCs
826

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Vidar

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command-line command.

How to avoid infection by Vidar?

When spread via spam email campaigns, Vidar stealer requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Vidar / Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
88.99.66.31
208.95.112.1
208.95.112.1
5.79.66.145
176.121.14.106
18.205.93.2
107.189.11.97
18.205.93.1
141.8.192.151
81.177.135.231
185.38.151.11
185.198.58.157
81.177.135.163
107.189.11.48
103.116.16.4
18.205.93.0
169.239.129.117
185.212.130.11
104.27.142.103
104.28.6.23
Hashes
96402bd3b319158982a2ab2bd21b59200a9b7973d6c4eafebb7821aee466b29b
b69f6cc0b1172f34d0e198d61eb72fb36229d7845eaf2572d96e5198df6766a8
b1b682f08c2a9af76d2b1662200db60f9a421f5c9dec1664f9d4d9cb8da2972a
6bd18741d098be91efcb7f853effc15786b570ebe87ea5b81caedaef2341ac95
67f758df99a0592cfc341b1b2cea1b895614ae4491b7ce1afd03b61aa369aef5
7add0db3573534b5421d3a7efd50bcc9c7e4531b1aaee041452f17167ccd93d7
8bc4e3ef9812c23f769b69ab4c8f1318d6717f06de90692c72a8916981b5c06e
6527f985a84df3de50c60973aa046b5ca8363a5a9181fb2eacd6092954a85851
2c8eaa83eeb862b6727c3915f7056fe8aaf7d5db541cdcafc464b9a75682ef0e
9eac9030f0aa65adf524790160a612c53a5b454e71eff819cf955ca310939c92
764b29758aca7d64a75468996a33b1c0bab073b15450d2cdb69c9e37bf33efb1
f6e05b9ce3d47d75c06c141bdcef2a3aaee8404817085485aaef2a52aa0231d1
6b80732c11095f5892aa04e1fab7e95bf0e1e4b0aa4e526ffdd5d46dd845866d
fd2be6150b8d06972beccebd61fcfeb5b97e99efe80fb60d05da18a560c32986
beb784afe15b60a01f6379da116a8852ccbc87a5d2e664c9c766fd5d4650d55e
cca30d0b75811c3e16aef65b589115d84ae24a5cc4ed95c8766d39dd59011e6e
f858a50c5d505fa8fe27fe5f7a6cc6b4582d4d26d0afbc3a9f81123b76dea7fe
2558b70b0cad0b956e0a6768cecab133f0a42e7eeaded49ef3ebbbeb3e242c09
37b1569ef8663164e3f681819bf79264494cafc61034212f3907c4b41cdcf673
fadec127251fb3e696c79ce4f553deaff7788701f81c4bec9367896adab21171
Domains
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
nemty10.hk
optibet.ladesk.com
demo.ip-api.com
nemty.top
constructioninc.zzz.com.ua
56c8.zzz.com.ua
kapkin2121.zzz.com.ua
influg.zzz.com.ua
steller2020.zzz.com.ua
fsdf.ga
awt.zzz.com.ua
coockie.cf
dedicate.ml
stean.zzz.com.ua

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More